Login

Tag Archives: X-XSS-Protection

15 Jan 2025

WordPress Security Header Plugins Still Claiming to Provide Protection With Headers That Web Browsers Long Ago Stopped Supporting

In looking into complaints about the search functionality of the WordPress Plugin Directory recently, a common complaint we saw is that new plugins don’t get promoted. As part of an alternative search functionality we have been putting together, we decided to try to address that in part by including a new plugin after the first ten results for queries. When doing a search on “security,” that currently highlights a security headers plugin:

[Read more]

7 Dec 2023

The X-XSS-Protection Security Header Won’t Provide Protection Against XSS Attacks on Your WordPress Website

Last week, we looked at so-called Advanced XSS Protection offered by a 1+ million install WordPress plugin, which turned out to not provide protection, advanced or otherwise. That involved, in part, the security header X-XSS-Protection, which it seems worth going in to more detail about, as many security plugins offer implementing it as a feature.

Security headers are instructions sent to web browsers that are supposed to tighten the security of websites. Whether they actually do that is something that various guides them touting don’t even try to address. You should be wary of any security advice that isn’t backed up with evidence, as people often believe and spread beliefs about security that don’t turn out to be true. [Read more]

30 Nov 2023

Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise

SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their description by claiming that you can “bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots.” One of the bullet pointed features is described as Advanced XSS Protection, which they say will “fortify your website against malicious attacks”. What that actually does is not explained anywhere else in the description, but further checking showed that isn’t offering protection, much less advanced protection.

On the plugin’s admin page where the feature can be enabled, it is suggested that this feature enables additional headers that are sent with pages sent by the website. The description reads: “Enabling this option will add extra headers to your site for protection against XSS attacks.” That still doesn’t provide much information on this. [Read more]